What is AWS WAF?

Learn via video courses
Topics Covered

Overview

AWS provides a firewall service called AWS Web Application Firewall (WAF) as part of its security services lineup. Common web application vulnerabilities and exploits are identified, stopped, and mitigated with the aid of AWS WAF on the public web. A WAF aids in defending against malicious attacks such as DDOS, SQL Injection, malicious web requests, Cross-site scripting, etc. on cloud-provisioned resources like Application Load Balancer (ALB), Cloudfront, API Gateway, etc.

What is AWS WAF?

WAF AWS

Any client-facing web application is vulnerable to a variety of security attacks, including DDOS, SQL Injection, Cross Site Scripting, nefarious bot requests, Remote Command Execution, and others. Applications should be deployed behind a web application firewall to protect them from such attacks.

AWS WAF continuously monitors HTTP and HTTPS web requests and, in the event of a malicious request, either block or count the request based on rules configured to ensure that the application is secure.

  • DDOS: A DDoS attack is a malicious network attack in which hackers use numerous enslaved Internet-connected devices to flood a website or service with counterfeit web traffic or requests.
  • SQL Injection: An attack known as SQL injection involves inserting malicious code into strings that are then sent to a SQL Server instance for parsing and execution.
  • Cross Site Scripting: A security exploit known as cross-site scripting (XSS) enables an attacker to insert malicious client-side code into a website.

Web Access Control List (ACL) implementation is used by Web Application Firewalls (WAF) to protect resources used by web applications, such as Cloudfront, API Gateway, Application Load Balancer, etc. An allow block or count response can be given in response to a web request based on a set of rules defined by a web ACL. The rules may be made specifically by the user or by AWS Managed rules sets, which AWS has already created for convenience, can also be used.

In addition to using only one rule, rules groups can be configured to combine multiple rules into a single, reusable rules group. The ACL can decide whether to allow, block, or count a web request based on these rules.

Features of AWS WAF

  1. AWS WAF Bot Control: Bot traffic on the web application, which may result in potential downtime, can be prevented by incorporating the best security measures into the managed rule group for bot control in WAF.
  2. Accessible using APIs: APIs can be used to manage AWS WAF in its entirety. This gives organizations the capacity to automatically develop and maintain rules and incorporate them into the development and design process.
  3. AWS Firewall Manager Integration: AWS WAF can be integrated with AWS Firewall Manager, which makes security management and compliance of multiple AWS resources easier.
  4. Monitoring and Logging: AWS WAF web ACL traffic can be logged in addition to Cloudwatch and CloudTrail logging when configuring web ACL, providing detailed monitoring of web requests made for a specific resource on AWS.
  5. Filtering of Web traffic : WAF allows users to create rules to filter web traffic based on IP addresses, HTTP headers, HTTP body, or URI strings from a web request.

How Does AWS WAF Work?

  • WAF Web ACL: ACLs are used to specify a set of rules and a resource protection strategy. Based on the guidelines in a web ACL, AWS WAF takes action.
  • WAF Web ACL Association with AWS Resources: The web ACL is associated with the AWS resources such as
    • Amazon CloudFront distribution: CloudFront is a content delivery network (CDN) that provides a significant improvement in the access speed for downloading content. These networks offer a globally dispersed network of servers that cache content to reduce latency.
    • Amazon API Gateway REST API: AWS API Gateway is an Amazon Web Services (AWS) service that allows developers to create, deploy, and manage a RESTful application programming interface (API) for use with applications, AWS Lambda functions, or other AWS services.
    • Application Load Balancer: Application Load Balancer is an AWS load balancing service that helps in balancing the incoming requests load among multiple application servers.
    • AWS AppSync GraphQL API: AWS AppSync supports the development of GraphQL APIs for modern applications.
    • Amazon Cognito user pool: AWS Cognito user pool acts as a user directory that can be used as an application authentication service.
  • Restricitons on web ACL association:
    • Each resource can have only one web ACL
    • A web ACL associated with a CloudFront distribution can not be associated with any other resource type.

For working with AWS WAF, determine the resources that need to be secured when using AWS WAF, then create a Web ACL for that resource.

Define the set of rules that will be applied to traffic within a Web ACL in order to protect resources from malicious web requests.

Architecture of AWS WAF

FIREWALL MAANGER

  • Create a policy: Using a visual rule builder, enables users to make their own rules to filter web requests. Both user-defined rules and managed rule sets are available.
  • Block & Filter: Rules can be blocked or filtered using the web ACL rules.
  • Monitor: Detailed monitoring of web requests can be done using Cloudwatch metrics.

How to Get Started with AWS WAF?

  1. Log in to AWS and navigate to the AWS WAF console.
  2. Choose to Create a web ACL.
  3. Enter the name of the web ACL.
  4. Choose a resource type such as CloudFront, ALB, etc.
  5. Next, create a custom rule with a string match statement or use an AWS Managed rule group from the list of available rules.
  6. Set the priority of the rule if multiple rules have been selected.
  7. If necessary, configure Clouwatch metrics.
  8. Review and choose Create web ACL.

Pricing of AWS WAF

The cost of using AWS WAF is affected by the number of web access control lists (web ACLs) you create, the number of rules you add to each web ACL and the volume of web requests you process. Each web ACL costs $5.00 per month (prorated by the number of hours), each rule costs $1.00 per month (prorated by the number of hours), and each request costs $0.60 for every million requests.

Conclusion

  • AWS WAF is a managed firewall service that continuously monitors HTTP and HTTPS web requests. In the event of a malicious request, either block or count the request. Applications should be deployed behind a web application firewall to protect them from such attacks.
  • AWS WAF can be integrated with AWS Firewall Manager, which makes security management and compliance with multiple AWS resources easier. Web ACL traffic can be also logged in addition to Cloudwatch and CloudTrail logging when configuring web ACL.
  • Web ACL rules can be blocked or filtered using the web ACL rules. Detailed monitoring of web requests can be done using Cloudwatch metrics.
  • The cost of AWS WAF is determined by the number of web access control lists (web ACLs) you create and the volume of web requests you process.